You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2014/07/14 23:31:09 UTC
svn commit: r1610541 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Author: jorton
Date: Mon Jul 14 21:31:09 2014
New Revision: 1610541

URL: http://svn.apache.org/r1610541
Log:
Add CVE-2014-0118, CVE-2014-0226, thanks to Mark for doing most of the work here.

Modified:
    httpd/site/trunk/content/security/vulnerabilities-httpd.xml

Modified: httpd/site/trunk/content/security/vulnerabilities-httpd.xml
URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/vulnerabilities-httpd.xml?rev=1610541&r1=1610540&r2=1610541&view=diff
==============================================================================
--- httpd/site/trunk/content/security/vulnerabilities-httpd.xml (original)
+++ httpd/site/trunk/content/security/vulnerabilities-httpd.xml Mon Jul 14 21:31:09 2014
@@ -1,4 +1,51 @@
-<security updated="20140326">
+<security updated="20140714">
+
+<issue fixed="2.4.10-dev" reported="20140219" public="20140714" released="20140714">
+<cve name="CVE-2014-0118"/>
+<severity level="3">moderate</severity>
+<title>mod_deflate denial of service</title>
+<description><p>
+A resource consumption flaw was found in mod_deflate.  If request body
+decompression was configured (using the "DEFLATE" input filter), a
+remote attacker could cause the server to consume significant memory 
+and/or CPU resources.  The use of request body decompression is not a common
+configuration.
+</p></description>
+<acknowledgements>
+This issue was reported by Giancarlo Pellegrino and Davide Balzarotti
+</acknowledgements>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.8"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
+
+<issue fixed="2.4.10-dev" reported="20140530" public="20140714" released="20140714">
+<cve name="CVE-2014-0226"/>
+<severity level="3">moderate</severity>
+<title>mod_status buffer overflow</title>
+<description><p>
+A race condition was found in mod_status.  An attacker able to access
+a public server status page on a server using a threaded MPM could send a carefully crafted 
+request which could lead to a heap buffer overflow.  Note that it is not a default
+or recommended configuration to have a public accessible server status page.
+</p></description>
+<acknowledgements>
+This issue was reported by Marek Kroemeke via HP ZDI
+</acknowledgements>
+<affects prod="httpd" version="2.4.9"/>
+<affects prod="httpd" version="2.4.8"/>
+<affects prod="httpd" version="2.4.7"/>
+<affects prod="httpd" version="2.4.6"/>
+<affects prod="httpd" version="2.4.4"/>
+<affects prod="httpd" version="2.4.3"/>
+<affects prod="httpd" version="2.4.2"/>
+<affects prod="httpd" version="2.4.1"/>
+</issue>
 
 <issue fixed="2.4.7" reported="20130914" public="20140714" released="20131126">
 <cve name="CVE-2013-4352"/>